5 Replies Latest reply on Jun 21, 2012 2:43 PM by Mike Pomraning

    SSL certificate

    Kelvin Davis Lurker

      Hey,

       

      Would anybody be able to tell us why our SSL certificate is failing PCI scans? Qualys PCI reports: "Server Supports Weak Encryption Vulnerability (QID: 38140)"

       

      However when I check mail.aqualisa.co.uk (redirects to https) on www.digicert.com/help it reports "Signature algorithm = SHA1 + RSA (good)"

       

      Any pointers would be very helpful thank you.

       

      Regards,

      Kelvin

        • Re: SSL certificate
          Keith Shaw Level 2

          To fix this vulnerability you will need to change your server configuration to not allow connections with weak encryption.  Try running an SSL Server Test to find out what protocols and cipher suites your server supports.

           

          Cheers,

          Keith

            • SSL certificate
              Tuan Phan Level 1

              The tool that you provided to do the SSL analysis is for external domains. Do you have tool to that same tool for internal use?

                • SSL certificate
                  Mike Pomraning Level 1

                  Tuan,

                   

                  A VM subscription can provide almost all of the functionality of SSL Labs' external scans, as described here:  https://community.qualys.com/thread/10275

                   

                  -Mike

                    • SSL certificate
                      Tuan Phan Level 1

                      Mike,

                       

                      We do have a VM subscription and we could not find a way to resolve the > SSL Server Supports Weak Encryption Vulnerability (QID: 38140). We don’t know what the scan is looking for nor do we have any experience in setting those cipher parameters. We are not seeking for Certification checking nor checking to see of any of them expired\soon to expire. The SSL Server Test is good for external, but what about internal? overall what is the solution to remediate QID 38140. Thank you

                        • SSL certificate
                          Mike Pomraning Level 1

                          Tuan,

                           

                          The KnowledgeBase entry for QID 38140 under the Threat section identifies LOW grade ciphers as those with a small key length.  Under the Solution section it proposes some common configuration options for Apache and Tomcat, and provides links for IIS configuration.

                           

                          (If memory serves, the UNIX command-line client openssl can also be asked to produce a list of LOW grade ciphers as follows: openssl ciphers LOW.  Any ciphers that appear there probably ought be suppressed from your servers.  Now, your openssl build might not have exactly the same cipher list as the current scanner, but it's a place to start if the KnowledgeBase suggestions aren't appropriate.)

                           

                          -Mike